Home Affairs CommitteeWritten evidence submitted by Philip Virgo, Former Secretary General of EURIM, the Information Society Alliance [EC 04]
(1) Introduction
The Home Affairs Select Committee announced the inquiry into e-Crime a week before the Information Society Alliance (EURIM) changed its name to the Digital Policy Alliance and appointed new Parliamentary and Industry Chairmen for its work stream on e-Crime and Cyber Security. The new group was not therefore in a position to assemble and agree a formal response. I retired as Secretary General of EURIM is September 2011 but remain a consultant and have assembled the submission below based on the published work of the studies which I organised over the period 2002–11, plus two industry round tables earlier this year to plan the programme which is now being carried forward.
EURIM began work in this area in 2002 when the then chairman, Brian White MP, presented a call for a National Strategy http://www.eurim.org.uk/resources/briefings/br34.pdf to the Minister. A joint study with his officials and with the Institute of Public Policy Research on “Partnership Policing for the Information Society” then found consensus on over 50 recommendations. Most are covered in the action plans for the current Cyber Security https://update.cabinetoffice.gov.uk/resource-library/cyber-security-strategy or the Fighting Fraud Together programme http://www.homeoffice.gov.uk/publications/agencies-public-bodies/nfa/fighting-fraud-tog/fighting-fraud-together?view=Binary .
The six main papers http://www.eurim.org.uk/activities/e-crime/partpolicing.php covered:
Separating Myth from Reality and Snake-Oil from Practicality (with an appendix on the scale and nature of computer assisted crime).
Protecting the Vulnerable: (addressing the needs of small firms plus associated crime prevention material).
Supplying the Skills for Justice: (addressing the needs of law enforcement and industry for investigatory and enforcement skills).
Reducing Opportunities for e-Crime: (making it harder for criminals to identify and attack or impersonate Internet users and their systems).
The Reporting of Cybercrime: (who should report what to whom? How should they do so? What should happen next?).
Building Cybercommunities: Beating Cybercrime: The organisation of Internet policing.
An update, “Tackling Crime and achieving confidence in the on-line world”, with “technical appendices”, covering specific areas http://www.eurim.org.uk/activities/ecrime/PIC07_AdvanceNote.pdf was produced for the 2007 Parliament and the Internet Conference. The Alliance subsequently assisted a further mapping exercise conducted by Professor Michael Levi, the results of which are due to be presented on 10 September 2012. The industry members of the Group have also organised a number of meetings this year to review progress in specific areas.
(2) What e-crime is understood to be and how this affects crime recording
Little has changed since the first report from the EURIM—ippr study.
http://www.eurim.org.uk/activities/ecrime/partnerpolicing.pdf found three broad categories of activity being addressed under the umbrella of e-crime:
“Crimes made more efficient by using computers and the Internet to gain access to larger numbers of potential victims at lower cost/risk to the perpetrator. Examples include auction fraud, identity cloning, mis-selling and paedophilia.
Conventional criminal activities managed through use of electronic services. Examples include the use of email, mobiles, search engines, funds transfer et al in support of blackmail, fraud, extortion, drug or people trafficking.
Attacks on computer systems themselves. Examples include viruses and denial of service. Many of these look to victims like familiar crimes such as vandalism (e.g. defacing web sites) or criminal damage (e.g. causing a computer to crash).”
The fifth report from that study http://www.eurim.org.uk/activities/ecrime/reporting.pdf looked at the issues of reporting. Its recommendations finally bore fruit earlier this year when an on-line “one stop shop” website for reporting of possible e-crimes finally went live under the aegis of Action Fraud http://www.actionfraud.police.uk/report_fraud . No analyses have yet been published. Meanwhile victims still have no incentive to report unless they think action will be taken as a result. A consequence is that we have no reliable data on the scale and nature of e-crime: only extrapolations from anecdotal data in support of special pleading.
(3) The extent and nature of the threats on which e-crime policy is based and how well they are understood by policy makers
A consequence of the assumptions made when extrapolating from that which reported is that we have wildly differing claims as to what is “really” happening. Thus £27 billion in a report for Cabinet Office www.baesystems.com/cs/groups/public/documents/document/mdaw/mdm5/~edisp/baes_020885.pdf
Is countered by a paper http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf which contracts criminal earnings in the $millions with security spend in the $billions.
Much, perhaps most, fraud is now linked to on-line activities, including to establish fictional identities or to obtain credentials (eg credit card details, account numbers and passwords) in the name of the victims. Even bigger figures are given for the cost of Fraud http://www.bbc.co.uk/news/uk-17548260 . But much of this is again extrapolations, with estimates of the cost to HMRC and DWP (for example) going up or down in support of bids for powers and resources to address tax or benefit fraud.
Given the consequent conflict regarding the scale and nature of the threats, let alone whether proposals (eg on electronic identities or on data breach notification) help address them, it is not surprising that policy makers are confused.
(4) The effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change
In its submission to the 2004 Home Office consultation paper on the Police Reform White Paper http://www.eurim.org.uk/activities/ecrime/policereform.pdf EURIM noted that “The total funding available to the NHTCU (including for supporting Computer Crime Units) is less than the individual electronic security and investigation budgets of most major High Street banks or of the main network or outsource suppliers.” The current budgets for the equivalent activities today of the Police Central e-Crime Unit, the Serious and Organised Crime Unit and the Economic Crime team of the City Police are many times those of the NHTCU. But the disparities remain. One bank alone is said to spend over £600 million a year securing its systems and taking action against those attempting to attack or defraud it and its customers. That may be exceptional but budgets of over £100 million are not unusual. More-over investigations under civil and contract law are said to earn UK-based private sector investigation operations (e.g. Computer Forensics, Transaction Tracing etc.) several £billion a year.
(5) Whether there are any gaps in the response to e-crime and, if so, how they should be addressed
Since the demise of the Internet Crime Forum there has been no mechanism for bringing together the internet industries, law enforcement and relevant government departments to review what is happening, including progress with regard to the initiatives being planned or under way. The industry members of the Digital Policy Alliance are planning a quarterly review mechanism covering those initiatives with which they are already involved or which are seeking their support.
(6) Options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use
EURIM members supported the House of Lords enquiry into Personal Internet Safety and agreed with its findings http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf . A well received EURIM paper on Security by Design http://www.eurim.org.uk/activities/ig/1010-SbD_Full.pdf subsequently identified that a core point of leverage was to ensure that privacy and security are built into online systems at the design stage.
The study team suggested that the Government’s main contribution should be as a more intelligent customer working with the relevant trade associations and professional and academic bodies. Among its other recommendations were that:
Government should support the provision of shared audit services and databases of assessed products and services and help enable these services to be widely used at affordable cost: perhaps building on the work of The National Technical Authority for Information Assurance (CESG) and Centre for the Protection of National Infrastructure (CPNI).
Professional bodies, such as The British Computer Society (BCS) and the Institution of Engineering and Technology (IET) and the UK chapters of the international associations, should review the standards of competence and integrity they expect of their members and co-operate to improve the quality of registers of current practitioners and reduce duplication of effort and cost.
Trade associations should facilitate co-operation in the validation, cross-licensing and use of relevant audit tools and techniques so that these can be routinely used, including by small innovative firms, while fairly rewarding those who develop and maintain them.
Accounting, actuarial and legal professional bodies should work with those for information and security and technology systems to produce shared practice notes and guidelines on assessing the value and security of systems to support better informed decisions on investment, insurance, responsibility and liability.
Government, Industry, professional bodies and education and training providers (including those responsible for electronic warfare, law enforcement and service delivery) should co-operate in bringing the current confusion of standards, accreditations, qualifications and courses into line and fit for purpose.
The Law Society should be asked to convene a cross-professional group to look at whether mass market systems without embedded SbyD are “fit for purpose” and to draft guidance for members who may be consulted on the consequences that might arise from legal action in this area.
(7) The effectiveness of current initiatives to promote awareness of using the internet safely and the implications of peoples’ online behaviours for related public policy
The National Audit Office report on “Staying Safe On-line” said that “Get Safe On-line” http://www.getsafeonline.org/and “ThinkUKnow” http://www.thinkuknow.co.uk/ “have achieved good value for their limited resources, using cost effective means to disseminate advice”. It also described the failure of Government departments to link to the sites and the risk of duplicated effort. Earlier this year a EURIM round table found that industry was confused by calls from government departments and agencies to support apparently duplicated efforts. They felt it important for Government to build on what was already understood and supported—such as Get Safe On-line and ThinkUKnow.
It was also important to cross-fertilise initiatives, for example using the research commissioned by the National Fraud Authority into types of fraud http://www.homeoffice.gov.uk/publications/agencies-public-bodies/nfa/our-work/fraud-typologies?view=Binary and the experiences and needs of victims http://www.homeoffice.gov.uk/publications/agencies-public-bodies/nfa/our-work/better-deal-for-fraud-victims?view=Binary to help plan and inform on-line safety and awareness programmes, including those the staff of government departments and agencies. On 13 September The National Archive is hosting an all-day knowledge transfer workshop to that end, using those already large scale behaviour change (i.e. not just awareness) programmes in the private sector.
(8) Conclusion
I would be pleased to provide follow up evidence on any of the above topics, either written or oral but might also wish to ask some of those working on the new Digital Policy Alliance programme in this area to help me update some of the answers.
August 2012